SOURCE: Cenzic

February 28, 2008 12:01 ET

Cenzic Trends Report Highlights 2007 as Another Crisis Year for Web Security

Microsoft Internet Explorer Least Vulnerable Browser in Q4

SANTA CLARA, CA--(Marketwire - February 28, 2008) - Cenzic Inc., the innovative leader of application vulnerability assessment and risk management solutions, today released its Application Security Trend Report for Q4 2007. This report includes a consolidation of findings for all of 2007, along with the Top 10 Web application vulnerabilities highlighted for both Q4 and Top Five Web application vulnerabilities for the year. In spite of a slight decrease in total number of vulnerabilities, Web application vulnerabilities continue to be the largest percentage of vulnerability types, and increased 3 percent over Q3, while attacks and probes rose from 1.3 million in October to 1.7 million in December. In a surprising twist, Microsoft Internet Explorer proved to be the least vulnerable browser when compared to Safari, Opera and Mozilla Firefox.

"As seen in the report, Web application vulnerabilities dominated much of 2007," said Mandeep Khera, VP of marketing at Cenzic. "We saw some major attacks through Web sites in 2007. We haven't seen the impact from the holiday season yet because many times it takes months for corporations to realize they have been attacked. In addition, hackers are no longer interested in publicizing their conquests; their main goal is now profit. While organizations are more conscious of security for Web applications, we need to see a lot more initiatives for Web security in 2008. Web application security is reaching a crisis point."

Cenzic Application Security Trends Report - Q4

The Cenzic Application Security Trends Report emphasizes the Top 10 Web application vulnerabilities from published reports in Q4 2007, illustrating tends among thousands of corporations, financial institutions and government agencies. However, these findings, do not take into account the thousands of vulnerabilities that are created while programming in-house or proprietary applications, many of which are outsourced to other countries including India, China and Russia.

In the report, Cenzic identified 1,404 unique published vulnerabilities in the fourth quarter of 2007, of which 71 percent were attributed to Web applications and 70 percent of the reported vulnerabilities were classified as easily exploitable. Cross-Site Scripting (XSS) and SQL Injection were the most frequent vulnerabilities reported, which was consistent throughout 2007. To download the Cenzic Application Security Trends Report Q4 2007, visit http://www.cenzic.com.

Top 10 vulnerabilities in Commercial and Open Source Web Applications from Q4 2007:

--  Open SSL Off-By-One Overflow - An off-by-one overflow is triggered by
    the SL_Get_Shared_Ciphers() function and can execute arbitrary code on the
    target system.
    
--  Java Web Start Bugs - A remote user can create a specially crafted
    applet that, when loaded by the target user, can read local files, write to
    local files or determine the location of the Java Web Start cache.
    
--  Adobe Acrobat URI Handling Bug - A remote user can create a PDF file
    with a specially crafted Web link that, when loaded by the target user,
    will trigger the URI handling flow and execute arbitrary commands on the
    target system.
    
--  IBM Lotus Notes Buffer Overflow - A remote user can send a specially
    crafted HTML-based e-mail message that, when replied to, forwarded or
    copied to the clipboard by the target user, will trigger a buffer overflow
    in the TagAttributeListCopy() function in 'nnotes.dll and execute arbitrary
    code on the target system.
    
--  RealPlayer Input Validation Flaw - A remote user can create a
    specially crafted HTML that, when loaded by the target user, will load and
    ActiveX control and trigger a flow in 'ierpplug.dll' to execute arbitrary
    code on the target system.
    
--  IBM WebShere Application Server Input Validation Hole - A validation
    hole allows arbitrary code to access the target user's cookies, including
    authentication cookies, access data recently submitted by the target user
    via Web form to the site or take actions on the site acting as the target
    user.
    
--  IBM WebShpere Input Validation Hole - A validation hole allows
    arbitrary code to access the user's cookies, including authentication
    cookies, access data recently submitted by the target user via Web form to
    the site, or take actions on the site acting as the target user.
    
--  PHP Buffer Overflows, Filtering Bypass and Configuration Bypass Bugs -
    A user may be able to trigger a buffer overflow in certain functions,
    supply partial multibyte sequences to certain functions to potentially
    bypass the filtering functions and can invoke a function to overwrite
    values.
    
--  Apache Input Validation Hole - A validation hole allows arbitrary code
    originating from Apache software to access the user's cookies, including
    authentication cookies, access data recently submitted by the target user
    via Web form to the site, or take actions on the site acting as the target
    user.
    
--  Adobe Flash Player Bugs - A remote user can cause arbitrary code on a
    target user's system, conduct cross-site scripting and request splitting
    attacks and conduct port scans via Adobe Flash Player.
    

As part of the study, Cenzic incorporated findings from Cenzic ClickToSecure, its leading-edge managed security assessment and penetration testing service (SaaS), and research from Cenzic Intelligent Analysis (CIA) Labs. Some of the key findings include:

--  Seven of 10 analyzed Web applications engaged in insecure
    communication practices that could potentially lead to the exposure of
    sensitive or confidential user information during transactions.
    
--  Cross-Site Scripting continues to be the most common injection flaw
    type, affecting six out of 10 Web applications.
    
--  Three out of 10 Web applications were found to be vulnerable to types
    of SQL injection attacks that could result in a direct compromise of the
    application's back-end user by an attacker.
    
--  Information leaks and exposures, cross-site scripting and session
    management were among the most prevalent vulnerabilities.
    

About Cenzic

Cenzic is the next-generation Web application security assessment and risk management solutions leader. The Cenzic suite of application security solutions fits the need of any company from remote, Software as a Service (ClickToSecure®), for testing one or more applications, to a full enterprise-wide solution (Cenzic Hailstorm® Enterprise ARC) for effectively managing application security risks across an enterprise. Always an innovator, Cenzic has integrated Hailstorm with VMware to enable testing of production Web applications through virtualization -- making Cenzic the only company in the industry with a complete solution for assessing Web applications in all stages from development to production. In addition, Cenzic solutions, targeted at financial services, e-retail, high-tech, energy, healthcare and government sectors, are the most accurate, comprehensive and extensible in the industry, empowering organizations to stay on top of unrelenting application security threats.

Contact Information

  • Contact Information
    Tami Casey
    Kulesa PR for Cenzic
    (650) 340-1984
    Email Contact